Strong No-Go Theorem for Gaussian Quantum Bit Commitment 
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Unconditionally secure bit commitment is forbidden by quantum mechanics. We extend this no-go 
theorem to continuous- variable protocols where both players are restricted to use Gaussian states and 
operations, which is a reasonable assumption in current-state optical implementations. Our Gaussian 
no-go theorem also provides a natural counter-example to a conjecture that quantum mechanics can 
be rederived from the assumption that key distribution is allowed while bit commitment is forbidden 
in Nature. 
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Bit commitment is a cryptographic primitive with a 
large scope of applications ranging from two-party secure 
computation, e.g., secure authentication, to coin flipping. 
It involves two mistrustful parties: Alice must commit to 
a certain bit, which should remain hidden to Bob until 
she reveals its value. A traditional picture for this proto- 
col is as follows: Alice locks a secret bit into a safe that 
she gives to Bob; then, when she wants to reveal her se- 
cret, she simply hands over the key of the safe to Bob. A 
bit commitment protocol is said to be secure if it prevents 
Alice to cheat (i.e., she cannot change the value of the 
bit she had commited) and Bob to cheat (i.e., he cannot 
learn information about the bit before Alice reveals it). 

This primitive has been exhaustively studied in classi- 
cal cryptography, where the security relies on unproven 
computational assumptions [1] [5] . The idea of quantum 
bit commitment (QBC) was first introduced by Bennett 
and Brassard in 1984 [3 , together with the famous BB84 
quantum key distribution protocol. In 1993, Brassard et 
al. proposed a QBC protocol known as BCJL which 
was believed to be secure until 1996, when Mayers [51 
and independently Lo and Chau 6J proved that it was 
not the case. Their proof involved a reduction of the 
BCJL protocol to a purified protocol, which cannot be 
perfectly secure against both Alice and Bob. Thus, it 
appeared that this reduction precludes the existence of 
an unconditionally secure QBC protocol. Because of the 
complexity of this reduction, however, it was not univer- 
sally accepted (see, e.g., |7j) until 2006, when d'Ariano 
et al. provided a complete, formal description of QBC 
protocols that definitely closed the question [8]. This is 
the content of the no-go theorem for QBC. 

Interestingly, this situation is in sharp contrast with 
quantum key distribution, for which unconditionally se- 
cure protocols have been exhibited P|. These two facts, 
namely the possibility of key distribution and impossibil- 
ity of bit commitment, seem to be specific to quantum 
mechanics, and were conjectured by Brassard and Fuchs 
to be actually sufficient to rederive quantum mechan- 



ics from first principles fTU* . This conjecture was later 
proven wrong, but Clifton et al. proved instead that the 
assumptions of no-signalling, no-broadcasting, and the 
impossibility of bit commitment make it work within the 
framework of C*-algebras [TTl. This is known as the CBH 
theorem. 

Coming back to the no-go theorem for QBC, let us 
stress that it only applies to unconditionally secure pro- 
tocols, that is, to the case where Alice and Bob have no 
restriction on their capabilities except those dictated by 
quantum mechanics. This leaves the door open to QBC 
protocols that could be secure under reasonable assump- 
tions on Alice and Bob's capabilities. Such protocols were 
found in the bounded-storage model [12] or by exploiting 
the constraints imposed by special relativity |13| . 

In this Letter, we address QBC protocols with contin- 
uous variables, and explore whether such protocols may 
be found secure when both parties are restricted to use 
Gaussian states and operations. Most quantum infor- 
mation protocols to date have been based on discrete 
variables in a finite-dimensional Hilbert space. Recently, 
however, continuous variables (CV) have been proven to 
be a very powerful alternative approach [14] . In the case 
of optical communication, for example, the quadrature 
components of the light field make especially useful con- 
tinuous variables because of their associated detection 
scheme, namely homodyne detection. This is well illus- 
trated with CV quantum key distribution, which was re- 
cently proven unconditionaly secure [TF and appears as a 
credible alternative to single-photon based quantum key 
distribution [TB]. Dealing with CV quantum informa- 
tion protocols unfortunately comes with a price, namely 
that their analysis may be intractable as an infinite- 
dimensional Hilbert space is involved. 

An elegant solution consists in restricting the analysis 
to so-called Gaussian states and operations, which, apart 
from being efficiently characterizable within the appro- 
priate formalism, can be relatively easily manipulated in 
the laboratory. It is therefore a very natural and im- 
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portant question to ask whether QBC protocols can be 
buih with continuous variables, which could be made se- 
cure if both parties are capable to manipulate Gaussian 
states only. Remember that, although the no-go theorem 
for unconditional security holds for infinite-dimensional 
Hilbert spaces as such, it is unknown whether secure 
QBC can exist when both parties have restricted capabil- 
ities. Here, we answer by the negative if this restriction 
is put at the boundary of the set of Gaussian states, and 
establish a strong no-go theorem for Gaussian QBC pro- 
tocols. Specifically, for any Gaussian QBC protocol, we 
find a corresponding Gaussian cheating strategy. More- 
over, we provide a constructive attack for any CV QBC 
protocol, whereas constructive attacks were previously 
known for finite dimensions only. 

Let us first recall some notions linked to the distin- 
guishability of quantum states. The fidelity between two 
states p and tr is defined as J-{p, cr) — {Tt: yJ~^Jpa\Jp^ . 
li p ~ IV'XV'I and cr = \4>){4>\ ^'^^ Pure states, the fidelity 
is simply | (-010)1^. Any purifications of p and |0) 
of a satisfy J^{tp,(t>) < F{p,a). Uhlmann's theorem [T7] 
states that this inequality can always be saturated, that 
is, there exists a purification of p (resp. a) noted 
(resp. \(f)')) which is such that J^{'ip' ,(f>') — F{p,a). Al- 
though this has been shown regardless of the dimension, 
constructive proofs of this purification are known in fi- 
nite dimensions only |18| . The trace distance between 
the states p and cr is defined as D{p,a) = ^ — cr||j^, 
where \\t\\-^ — TrV r^r for any operator r. The trace dis- 
tance is related to the guessing probability ^{1 + D{p, cr)), 
which is the maximum probability of distinguishing the 
two states with the best measurement. We also recall a 
useful relation between the fidelity and trace distance, 

D{p,a) < ^l-Tip,a), (1) 

as well as the Bhattacharyya bound [121 [20] , namely 

l-D{p,<j)<Tii^V^). (2) 

Quantum bit commitment — Formally, any (reduced) 
QBC protocol can be described as follows: Alice encodes 
her bit b into a pure bipartite state \4>b) ans sends one 
half to Bob. At the end of the committing phase. Bob 
holds either po = Tr^|?/'o)('/'o| or Pi = Tr^|7/'i)(?/'i| if Alice 
wants to commit to or 1, respectively. The protocol is 
referred to as s-concealing if D{pQ, pi) < s, which means 
that Bob cannot learn the value of &, except with prob- 
ability e. To reveal her bit, Alice sends the other half 
of lipb) ■ In a so-called d-cheating strategy, Alice sends 
a state p^ in the committing phase and then decides to 
follow a strategy leading to a final state of her choice, 
iV'o) or IV"?), so that Bob should not be able to distin- 
guish this strategy from a honest strategy with a proba- 
bility greater than 6. This means that D{p\pb) < 6 and 
D{ip^f^,^i,) ^ Here, we will only consider the simple 



strategy in which = po and j^/jj) = \iIjo)- Thus, 
will correspond to Alice initially committing to a zero 
and then cheating so to make it a one. Without loss of 
generality, we will also consider that IV'b) are 2n-mode 
states and pt, are n-mode states. Now, let us state our 
main result: 

Theorem 1 Given any e- concealing Gaussian quantum 
bit commitm,ent protocol to Bob, there exists a Gaussian 
\/2e-cheating strategy for Alice. 

For finite-dimensional protocols, the cheating strategy 
is usually exhibited with the help of Uhlmann's theo- 
rem, which gives purifications |^o) of po and \ipi) of pi 
such that T{'ipo, ipi) = -^(POj Pi)- Unfortunately, it is not 
known how to use this theorem to explicitly construct 
such purifications in infinite dimensions, and, even so, it 
would not help making statements about the Gaussianity 
of such purifications for Gaussian states. Our approach 
is based instead on the notion of intrinsic purification, 
for which we give an explicit construction guarantee- 
ing that every Gaussian state has a Gaussian intrinsic 
purification. Although this purification docs not reach 
Uhlmann's bound, we derive an inequality which is suf- 
ficient to prove our theorem: 

Lemma 1 Given the n-mode states po and pi, there exist 
2n-mode purifications \iPq) of po and of pi such that 

DiiPo^A) < V^D{po,pi). (3) 

Moreover, if po and pi are Gaussian states, so are their 
purifications \iPq) and \ipi). 

Gaussian formalism — The state p of an n-mode 
bosonic quantum system is a unit-trace Hermitian pos- 
itive semi-definite operator on H^", where H is the 
infinite-dimensional Hilbert space spanned by the exci- 
tations of each mode. We note i = ii . . . z„ and |i) — 
\ii) ■ ■ ■ \in), where is the Fock basis of "H. Since H is 
isomorphic to £^(IR), any state p is completely character- 
ized by its Wigner function Wp , a quasi-probability distri- 
bution in the 2n— dimensional phase space parametrized 
by the vector of quadratures ^ = {xi,pi, . . . , Xn,Pn)- 
The covariance matrix 7 of Wp is a real, symmetric 
and positive matrix satisfying the Heisenberg inequality 
J + ifl> where = 0fc=i [ -?i 0] • An n-mode state is 
called Gaussian if its Wigner function is Gaussian, 

Note that a Gaussian state is fully described by its first- 
and second-order moments p G R^" and 7 S R^" x R^". 

A Gaussian operation £ maps any Gaussian state to 
a Gaussian state. Therefore, £ is fully characterized by 
its action on the first- and second-order moments of a 
state. Furthermore, £ is a Gaussian unitary operator if 
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and only if there exists a symplectic matrix S (such that 
Sil.S^ = fi) and a displacement vector d such that for all 
states p, We(p){0 = Wp{S-^^-d) [21]. The Williamson 
decomposition theorem states that a covariance matrix 
7 is described by its symplectic eigenvalues {vi, . . . , Vn\. 
More specifically, for any 7, there exists a symplectic 
transformation S such that S^S'^ = ^fc^iJ^fcb, with 
j/fc > 1 |22j . In particular, for a Gaussian state p, there 
exists a Gaussian operation V ^ a Williamson unitary^ 
such that V^pV = Ei(nLi(l-^fc)4') ^^ere 
^ In other words, any Gaussian state p can be 



mapped via a Gaussian operation V onto a tensor prod- 
uct of thermal states with symplectic eigenvalues i^k- 

Gaussian intrinsic purification — Let p be a n-mode 
state and J7 be a diagonalization of p in the Fock basis, 
that is, J7 is a unitary operator such that pU\j) — 
Pi 6ij , where is the Kronecker delta. We then define 
an intrinsic purification lip) oi p as 



\^) = {U*®U)Y,. 



(4) 



(Note that it is not unique.) Here and in what fol- 
lows, A* (resp. A^) denotes the complex conjugate 
(resp. the transpose) of any linear operator A rela- 
tively to the Fock basis, defined as (i|A*|j) = (i|^|j)* 
and (i|^^|j) = 

A Gaussian intrinsic purification of a Gaussian state 
p thus consists in choosing U — V, that is, using a 
Williamson unitary in order to diagonalize p in the Fock 
basis. Let us show that this purification is indeed Gaus- 
sian. The state X^i V^l^)!^)' being a tensor product of 
two-mode squeezed states, is Gaussian. Since [/ is a 
Gaussian unitary operator, all is left to show in order to 
prove that is a Gaussian state is that U* is a Gaussian 
unitary operator too. Let us take an arbitrary n-mode 
Gaussian state r and assume that U is described by the 
symplectic matrix 5' and displacement vector d. We want 
to show that applying U* to r is equivalent to applying 
the symplectic matrix Y7^S~^Y7^ and the displacement 
YT^d in the phase space. We first note that U* = {U^)'^ 
and observe that U*tU*'' = [Ur'^W f. The transposi- 
tion has a simple expression in phase space, namely, for 
all states ct, W„t{£,) = I^<x(SzO where = 0Li 
1231. This leads us to the relation 



(5) 



n. 



To conclude, we observe that (EJS'^^Ef) 
is a symplectic matrix since E^ri(S^)"^ = - 

Let us now proceed with the proof of LemmaJT] which 
is based on the intrinsic purifications and of the 
n-mode states po and pi. We start with the decomposi- 
tion of \ipb) as \ipb) = (C/j* (g) Ub) J2i Using the 
basis {J7o|k)}k, we can write Tr(y/poy//5i) as 



ij,k 



VmpU ((k|;7j)c/o|i)(i|c/Jc/i|j)(j|;7/(c/o|k)), (6) 



and the inner product ('0o|V'i) as 

EV?WJ (i|(C^o^t/i)1j)(i|C^o^C^i|j>- (7) 
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Using KV'olV'i)! = ^^-'(V^o, V'l) and the definition of U* , 
a straightforward calculation then shows that 



Tr(Vpo^^o^) = /f^^^). (8) 
Combining Eq. (|8| with inequality ([2| gives 



l-Z?(po,Pi) < /nX^, (9) 
which, together with inequality ([!]), yields 

Di^Po, ^i) < v/2 Dipo, pi) - Dipo, pi)2. (10) 

This immediately concludes the proof of Lemma [l] □ 

Lemma 2 Let IVjo) ^.i^-d \ipi) be 2n-mode Gaussian states 
such thatTTA\'>po){'^o \ = Tr^|?/'i)(V'i|, there exists a Gaus- 
sian unitary operator U acting on n modes such that 
(U ® D)|^/'o) = IV-"!)? where D is the identity on n modes. 

In the discrete-variable case, this is a consequence of the 
Schmidt decomposition of lipo) and IV'i)- Here, this role 
is played by the normal mode decomposition |24) . Noting 
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the first- and second- 



and 'Yf, - '^'^ 
B auu 7f, — r B 

Mb J L'-'i, 7i, 

order moments of \^b), the perfectly concealing condition 
TrA|V'o)(V'o| = Tr^|V'i)('(/'i| implies that p^ = pf and 
lo = li ■ As a consequence, 7j^ and 7j^ have the same 
symplectic spectra, so that, by applying the normal mode 
decomposition on 70 and 71 we know that there exist 
symplectic matrices S*^ such that: 



71 = [St ® Sfmst ® 5f )*. 



(11) 
(12) 



and Si can be chosen equal since 7(f = 7^ . The 
symplectic matrix S = Si{Sq)~^ ® ^2n transforms 70 
into 71 by acting on Alice's modes only. Similarly, the 
displacement pi — Spo transforms po into pi by acting 
on Alice's side only, which proves Lemma [2j □ 

Perfectly concealing protocols — We now turn to the 
proof of our no-go theorem for Gaussian QBC. For per- 
fectly concealing protocols (£=0), Alice's cheating strat- 
egy is well-known: she simply applies an appropriate uni- 
tary operation to her half of {ipb) between the two stages 
of the protocol. This allows her to convert |^/;o) into |V'i). 
In the case of Gaussian QBC, Lemma [2] implies that this 
cheating unitary is Gaussian. 

e-concealing protocols — We now investigate the real- 
istic case where the protocol is not perfectly concealing, 
which will finally lead us to the proof of Theorem [T] We 
want to find an explicit Gaussian \/2£-cheating strategy 
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for Alice against a e-concealing QBC protocol. In the 
first stage of the protocol, Alice creates the state Itpo) 
and sends po to Bob. In the second stage, if Alice wants 
to reveal the bit 0, she sends her half of j-^o) to Bob, while 
if she decides to reveal the bit 1, she applies a Gaussian 
unitary operation to her half of \ipo), mapping it to \ipi}, 
and then sends it to Bob. 

As a consequence of Lemina[l] there exist Gaussian pu- 
rifications ItAo) of po and of pi such that D{ipo, V'l) ^ 
^/2D{po, pi). Moreover It/iq) and I-^q) (resp. l-^i) and 
\ipi)) are two Gaussian purifications of the same Gaus- 
sian state Po (resp. pi), so that, according to Lemma [2j 
there exists a Gaussian unitary operator Uq (resp. Ui) 
such that ([/o(8)D)|V'o) = IV'o) (resp. (C/i D)|V'i) = 
We note = {U^^Uo ^ iMo) = (C/f' ^ ^Mo)- 

By unitary invariance of the trace distance, one has 
D{ij;l,^pi) = D{ipo, Thus, for e-concealing protocols, 
we have D{tp\,tpi) < which concludes the proof of 
Theorem [H □ 

We have thus obtained a stronger result than the stan- 
dard no-go theorem since we have shown that QBC re- 
mains impossible even if Alice and Bob are restricted to 
manipulate Gaussian states. Although Lemma [T] can be 
seen as a weak version of Uhlmann's theorem in the sense 
that the intrinsic purification does not reach Uhlmann's 
bound, it is sufficient here because the quantities of inter- 
est in terms of guessing probability are not changed. In- 
terestingly, the question of whether the purifications that 
saturate Uhlmann's bound could both be chosen Gaus- 
sian if the states are Gaussian is still open (although par- 
tial results in this direction have been obtained in .25,). 
Note also that we have an explicit construction of Alice's 
cheating purifications for any CV QBC protocol, Gaus- 
sian or not. This is done by noting that the Gaussian 
constraint can be relaxed in the proof of Lemma [l] and 
that Lemma [2] can be replaced by the usual Schmidt de- 
composition. 

CBH theorem — Consider the subset of quantum me- 
chanics where only Gaussian states and operations are 
allowed. As a result of our no-go theorem, this Gaussian 
model forbids bit commitment while it allows uncondi- 
tional secret key distribution |15) . Interestingly, however, 
it is stricly included in quantum mechanics since, for in- 
stance. Bell inequalities cannot be violated with Gaussian 
states and measurements. This contradicts the Brassard- 
Fuchs conjecture. Furthermore, according to the CBH 
theorem [11], quantum mechanics can be rederived from 
the sole assumptions that signalling, broadcasting, and 
bit commitment are impossible in Nature. While this 
idea is very appealing, the Gaussian model again pro- 
vides a natural counter-example to it. The reason is that 
the CBH theorem actually requires the further assump- 
tion that the physical description of Nature is done within 
the framework of C*-algebras (Spekkens had found a toy 
model compatible with CBH but distinct from quantum 



mechanics [5^, but ours is physically better grounded). 

Conclusion — We have addressed continuous-variable 
quantum bit commitment, and have proven a strong ver- 
sion of the standard no-go theorem in which Alice and 
Bob are restricted to Gaussian states and operations. 
Our proof is based on a Gaussian purification of Gaus- 
sian states, eliminating the need for Uhlmann's theorem. 
Note that Bob is not restricted to Gaussian measure- 
ments at the last stage of the protocol, which may make 
him more powerful than in a fully Gaussian protocol. 
Even then, Alice can always perform a Gaussian cheat- 
ing strategy. This leaves open, however, the possible ex- 
istence of non-Gaussian QBC protocols that could be se- 
cure against Gaussian attacks. More fundamentally, we 
have exhibited a physically motivated counter-example 
to the attempts at rederiving quantum mechanics from 
first principles. 
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